Rachael Eyre looks at the data protection implications for UK law firms post-Brexit.
On 1st January 2021 the Transition Period ends, and the UK is no longer subject to EU Law*. This includes the GDPR.
From next year the GDPR will be incorporated into UK law and become the UK GDPR and, for the main part, be the same. There will be some tweaks around reporting institutions and the ‘one stop regulatory shop’ will cease. This could lead to double fines.
Additionally, the EU /US Privacy Shield has been found to not provide sufficient protection for personal data in the Schrems II decision.
The main change for organisations is where personal data is transferred into out or of the UK. There are several different categories:
Personal data transferred to the EEA or a country with an Adequacy finding
UK organisations can continue to transfer personal data to these countries as before as they are deemed safe under the UK GDPR.
Personal data transferred to a country outside of the EEA and without an Adequacy finding (including the USA)
For these countries, you will need a safe mechanism. Currently available safe mechanisms are:
- Binding Corporate Rules (BCR) – effective within your own organisational structure and need to be approved by a supervisory authority (such as the ICO).
- Standard Contractual Clauses (SCC) – these have to be incorporated in their entirety and without amendment. Organisations should ensure that the SCCs are enough or add supplemental clauses to the rest of the contract where more is needed. SCCs are under review in the EU and UK.
Personal data transferred to the UK from the EEA or a country with an Adequacy finding
The UK will be the equivalent of a third country, so any organisation sending personal data will need SCCs or BCRs.
Where you offer good or services to individuals in the EEA but have no office or establishment in the EEA
In this case you will need to appoint a European Representative. They act as a contact point between you and your client / customer and between you and the supervisory authority (equivalent of the ICO) in the EEA. It can even be deemed that you are offering goods and services to individuals in the EEA if your website translates into a European language, or you offer delivery there. There are many organisations throughout the EEA (and in the UK) set up to offer this service economically.
What about Adequacy?
The UK is negotiating an Adequacy finding, this may not happen as there are difficulties around The Investigatory Powers Act and The Internal Markets Bill. So, while the UK will stay closely aligned to the EU GDPR, it is not certain there will be an Adequacy finding, making SCCs etc important.
What about the Privacy Shield?
As with Safe Harbour in 2015, Shrems II has proven the Privacy Shield to be inadequate protection. In any event, it is an EU / US Privacy Shield, so leaving the EU the UK were no longer protected by it. Other mechanisms will need to be utilised.
Things to do before 1st January 2021
- Check your data flows – are you sending anything outside of the EEA and Adequacy countries?
- If yes, Transfer Impact Assessment – like a Data Protection Impact Assessment but concentrating on the countries you are sending to. Check your mechanisms are adequate post leaving the EU and post Schrems II.
- If your mechanisms are not adequate, then you need to look at Binding Corporate Rules (if within your own organisation) or Standard Contractual Clauses if not. This includes anything that was previously under the Privacy Shield. You may need to put additional terms in your data protection provision to ensure the SCCs are robust enough.
- If you are receiving personal data from an organisation in the EEA / Adequacy country you will need to ensure that your contract includes an adequate mechanism for transfer, such as SCCs or BCRs.
- If you are offering goods or services in the EEA and do not have an office or establishment there, appoint an EU Representative.
There may be an Adequacy finding, which will make transfers easier.
The European Data Protection Board is due to release further guidelines. While the UK won’t be bound by them, it is likely the UK will stay aligned.
Other mechanisms, such as standard data protection clauses adopted by the ICO, approved codes of conduct together with binding and enforceable commitments of the receiver outside of the EEA and certification under an approved certification mechanism will be adopted by both the EU and UK. SCCs are also under review in both jurisdictions and expect updated ones in 2021.
*this note is based on the envisaged ‘non negotiated outcome’ or no deal scenario. If a deal is struck with the EU in the meantime, we will update this note as necessary